Data Processing Addendum (DPA)

This DPA forms part of the Smartify Expense Terms of Service and applies where Smartify processes personal data on behalf of a customer (the "Controller").

1. Subject matter and duration

Subject matter: provision of the Smartify Expense Service. Duration: the term of the subscription plus any post-termination data export window.

2. Nature and purpose

Processing receipts, expenses, approvals, reimbursements, reporting, and related notifications.

3. Categories of data subjects

Customer employees, contractors, and approvers using the Service.

4. Categories of personal data

Identifiers, contact data, expense and reimbursement data, device/log data, and any data the Controller chooses to upload into receipts or notes.

5. Processor obligations

• Process only on documented instructions from the Controller.
• Ensure personnel are bound by confidentiality.
• Implement appropriate technical and organisational measures (see Security).
• Engage sub-processors only under written terms providing equivalent protection.
• Assist the Controller with data-subject requests and DPIAs to a reasonable extent.
• Notify the Controller without undue delay of any personal-data breach affecting their data.
• Return or delete personal data at the end of the engagement, save as required by law.

6. International transfers

Standard Contractual Clauses and the UK Addendum apply where required.

7. Audits

The Controller may request a copy of our most recent security audit report under NDA, or, on reasonable notice, conduct an audit at its own expense subject to confidentiality.

A counter-signed copy of this DPA is available on request from legal@smartify.sbs.